n8n’s Token Exchange Vulnerability Exposed
On July 16, 2026, a security vulnerability in n8n’s workflow automation platform was disclosed. The issue permitted unauthorized access due to a flaw in the token exchange process, affecting Enterprise instances configured to trust multiple external token issuers. This flaw, identified as CVE-2026-59208, allowed tokens from one issuer to authenticate users from another issuer without verifying the source.
Understanding the Security Flaw
The vulnerability arose when n8n matched an incoming JSON Web Token (JWT) to a local user based solely on the ‘sub’ claim, neglecting the ‘iss’ (issuer) claim. This oversight meant that a valid token from issuer A could log in a user from issuer B, as long as the ‘sub’ claims matched. Notably, passwords were not involved in this authentication process. The company released a fix for this issue on June 24.
Implications and Severity
The flaw’s impact was limited to deployments where token exchange was activated and at least two external issuers were trusted. Although the affected scope was small, limited to OEM deployments, the severity was significant. GitHub assessed the vulnerability at 7.6 on the CVSS 4.0 scale, categorizing it as high severity, while NVD rated it 6.8 as medium on CVSS 3.1. Despite the potential risk, there was no public proof-of-concept or recorded exploitation at the time of disclosure.
Response and Mitigation
n8n addressed the vulnerability in versions 2.27.4 and 2.28.1, advising users to upgrade to these or later versions. For those unable to patch immediately, it was recommended to limit the configuration to a single trusted issuer or disable the token exchange feature altogether. These measures, however, were only temporary and did not fully eliminate the risk.
The advisory highlighted that while these mitigations could reduce exposure, the ultimate solution required applying the patches. The company’s changelogs did not explicitly mention the identity-related fix, indicating that users relying on changelogs for updates might miss this critical patch.
Future Outlook
The n8n team continues to work on improving the security of its platform, regularly updating and releasing new versions. Users are encouraged to maintain their systems up-to-date and monitor advisories for any further developments. The incident underscores the importance of comprehensive issuer verification in token-based authentication systems.
